no title

Other viewpoints

Credit-card fix is long overdue

About our Editorials

Dispatch editorials express the view of the
Dispatch editorial board, which is made up of the publisher, the president of
The Dispatch, the editor and the editorial-writing staff. As is the traditional newspaper
practice, the editorials are unsigned and intended to be seen as the voice of the newspaper.
Comments and questions should be directed to the
editorial page editor.

Also in Opinion

Subscribe to The Dispatch

Already a subscriber?
Enroll in EZPay and get a free gift!
Enroll now.

Wednesday February 12, 2014 6:12 AM

If you worry about your privacy and carry a credit card, the Target data breach ought to be a
startling wake-up call. A massive theft from card-swiping machines between Nov. 27 and Dec. 18 took
information such as numbers and names from about 40 million customers and compromised personal
information — names, addresses, e-mail addresses or phone numbers — from about 70 million.

Although there may be overlap, perhaps one in four people in the United States were exposed to
fraud and potential loss of privacy. The data were siphoned off by crooks and sent abroad.

How did it happen? According to John Mulligan, Target’s executive vice president and chief
financial officer, who testified Feb. 4 before the Senate Judiciary Committee, intruders crept into
Target’s network and installed malware designed to skim off credit- and debit-card information. How
they did that is not known, although cybersecurity sleuth Brian Krebs has reported that they may
have gotten into the network through a vendor to Target; the vendor said it was a “victim of a
sophisticated cyber attack operation.” The crooks then spread the stealthy malware to the
point-of-sale machines. The data were skimmed off in the seconds after customers swiped their cards
during the busy holiday season.

Chastened, Mulligan told the Senate panel that Target was accelerating a $100 million investment
to convert to so-called chip-and-PIN technology that is more secure. He pledged that Target would
have it in place early next year, six months earlier than planned. Mr. Mulligan’s response raises a
larger question: Why isn’t the United States as a whole moving more quickly toward chip-and-PIN
technology?

The answer is that it is coming, next year, but the transition involves costs that stores, card
companies and banks have been reluctant to bear. When Europeans adopted the technology more than a
decade ago, they lacked a continent-wide online verification system, so the new approach made
sense, allowing verification on site. But such an online verification system did exist in North
America. Since then, however, the magnetic swipe cards have become much more vulnerable.

The chip-and-PIN technology is now widely used in Europe and is being adopted around the world.
These cards have data embedded on a chip, and the user inserts the card and inputs a personal
identification number. This two-step verification process is more secure, although not ironclad,
since the data still can be transmitted through networks and subject to theft. American Express,
Discover, MasterCard and Visa all have announced plans to move toward a chip-and-PIN payments
system, and after October 2015, merchants who don’t use the more-secure technology will face
greater liability for fraud and higher penalties. A next-generation technology, contact-less cards,
is on the horizon.

Consumers in the United States generally have been shielded from liability for fraud on their
cards and have grown complacent.

They ought to be angry at the industry’s lag. Privacy needs to be protected.